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(57) The present invention is embodied in a 
Secured Processing Unit (SPU) chip, a microprocessor 
designed especially for secure data processing. By inte- 
grating keys, encryption/decryption engines and algo- 
rithms in the SPU, the entire security process is 
rendered portable and easily distributed across physical 
boundaries. The invention is based on the orchestration 
of three interrelated systems: (i) detectors, which alert 
the SPU to the existence, and help characterize the 
nature, of a security attack: (ii) filters, which correlate 
the data from the various detectors, weighing the sever- 
ity of the attack against the risk to the SPlTs integrity, 
both to its secret data and to the design itself; and (iii) 
responses, which are countermeasures, calculated by 
the filters to be most appropriate under the circum- 
stances, to deal with the attack or attacks present. The 
present invention, with wide capability in all three of the 
detectors, filters and responses, allows a great degree 
of flexibility for programming an appropriate level of 
security/policy into an SPU-based application. 




na 1 



Primed by Xerox (UK) Business Services 
2.16.7/3.6 



\ 



EP 0 965 902 A2 



Description 
1. BACKGROUNDS. 



10 



15 



20 



25 



30 



35 



40 



45 



[0003] Typically, one or more integrated oreu rts are * used to proce prop rietary algorithms lor encrypt- 

cTrcuii may themselves store interna. Clearly, there is a need 

ing and decrypting that information, as well as ^^JV^ person rom inspecting, extracting, and/or mod- 
fo r integrated circuits which are capable of preventing a " u ^°"^ er F S urther . « is sometimes desirable to destroy 
Sng Se confidential intormatton J^^^STS^^ information (e.g.. historical data, such 
certain confidential information e g., the I P" 9 detection of intrusion. u 
as accounting information used in ^^V^^ She cfnf idential information (keys, encryptiorVdecryption 
l0 004) One problem with existing securrty systems .* that the co unencrypted ("cleartexf) form m 

a.gorrthms.eto.)is.atsome^ in wnicn ^ keys and encryp- 

a non-secure environment. What .s needed •AJ^V^ £5!om intruders. Such an integrated crcurt would 
tion/decryption engine and algorithms can be embody a d P««W ' mflde avaj|able o1f . chip to unau- 

effecth/evensure that the inforrnation bang PJ^*£J** 'J. eSryption/decryption P^-n^ 
thorized persons except m encrypted torn and v»uH encap from a vari ety of potential aflacte. 

such that the keys and algorithms are Protected, pa rtculart y wMe J i c ^ for destroyjng tne ^ ^n- 

[0005] Existing secure integrated circurts WjfV a barrier is the deposition of one or more con- 

ial information stored therein when .ntrusion .s detert«J^ £ amp ^ e ,ayers prevent the inspection of the memory 
ductive layers overlying memory cells ins.de <* ■ ° atector and deStrOyi09 "T* * I 

cells by diagnostic tools such as a scanmng J^ory cells inside a secure integrated c.rcurt 

photo detector connected to a switching a ^ A ^^sS^emlZy cells, which may contain confWenrnhnfor- 
upon detection of light. When power is turned off. ^^^ISSfMo detector will be exposed to tight only 
S-.*»b^ 

[0006] One problem with existing securrty system * hard tne behavior o{ the securrty tea- 

Intrusions. Sue* systems are ^SL!!SS!^X the * h * vtor rt ^"f * 
tures once me irtegrated circurt r^ 

undertake the expensive and tme-consurmng task of design ng ana « custom security features for 

SST Anoth^conseouence of a art money to design, test, and fab* 

grated circuits, each customized for a special e^ment ^ ^ yet ^ ve ^ abHrty 

fooOS] There are many situations ,n wh.ch it "^J™?"^ the app ,ication and environment. For example, .f 
lo modrty the security features in "~* a "^ I will be prudent to implement a cor, 

the secure integrated circurt is used to process data (e o.. keys) inside the integrated circurt upon detec- 



[0009] 

policies can be implemented. 



2. SI iMNIftHY OF THE IN^EMUQtiL . n . M 

55 [0010] Thepresentinventionisembcdiedin^ 
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privacy aiong the way. This is accomplished by the following SPU-based features: positive identification and reliable 
authentication of the card user, message privacy through a robust encryption capability supporting the major crypto- 
graphic standards, secure key exchange, secure storage of private and secret keys, algorithms, certificates or, for 
example, transaction records or biometric data, verifiability of data and messages as to their alteration, and secure 
5 authorization capabilities, including digital signatures. 

[0011] The access card could be seen as a form of electronic wallet, holding personal records, such as one's driver's 
license, passport, birth certificate, vehicle registration, medical records, social security cards, credit cards, biometric 
information such as finger- and voiceprints, or even digital cash. 

[0012] A personal access card contemplated for everyday use should be resilient to the stresses and strains of such 

10 use, i.e. going through X-ray machines at airports, the exposure to heat if left in a jacket placed on a radiator, a mistyped 
personal identification number (PIN) by a flustered owner, etc. Thus, in such an application, the SPU could be pro- 
grammed with high tolerances to such abuses. A photo detector triggered by X-rays might be cued a few moments later 
to see if the exposure had stopped. Detection of high temperature might need to be coupled to other symptoms of attack 
before defensive action was taken. A PIN number entry could be forgiving for the first two incorrect entries before tem- 

15 porary disabling subsequent functions as is the case with many ATMs. 

[0013] For an application like a Tessera Crypto-Card, a secure cryptographic token for the new Defense Messaging 
System for sensitive government information, the system might be programmed to be less forgiving. Handling proce- 
dures for Tessera Card users may prevent the types of common, everyday abuses present in a personal access card. 
Thus, erasure of sensitive information might be an early priority. 

20 [0014] Various encryption schemes have been proposed, such as where a user creates and authenticates a secure 
digital signature, which is very difficult to forge and thus equally difficult to repudiate. Because of a lack of portable, per- 
sonal security, however, electronic communications based on these schemes have not gained widespread acceptance 
as a means of conducting many standard business transactions. The present invention provides the level of security 
which makes such electronic commerce practical. Such a system could limit, both for new and existing applications, the 

25 number of fraudulent or otherwise uncollectible transactions. 

[0015] Another possible application is desktop purchasing, a delivery system for any type of information product that 
can be contained in electronic memory, such as movies, software or databases. Thus, multimedia-based advertise- 
ments, tutorials, demos, documentation and actual products can be shipped to an end user on a single encrypted CD- 
ROM or broadcast though suitable RF or cable channels. Virtually any content represented as digital information could 

30 be sold off-line, i.e. at the desktop, with end users possibly permitted to browse and try such products before buying. 
[0016] The encryption capabilities of the SPU could be employed to decrypt the information, measure and record 
usage time, and subsequently upload the usage transactions to a centralized billing service bureau in encrypted form, 
all with a high degree of security and dependability. The SPU would decrypt only the appropriate information and trans- 
fer it to a suitable storage medium, such as a hard disk, for immediate use. 

35 [0017] Information metering, software rental and various other applications could also be implemented with an SPU- 
based system, which could authenticate users and monitor and account for their use and/or purchase of content, while 
securing confidential information from unauthorized access through a flexible security policy appropriate to the specific 
application. 

[0018] This pay-as-you-go option is an incentive to information providers to produce products, as it minimizes piracy 
40 by authenticating the user's initial access to the system, securing the registration process and controlling subsequent 
use, thereby giving end users immediate access to the product without repeated authorization. 
[001 9] Other aspects and advantages of the present invention will become apparent from the following description of 
the preferred embodiment, taken in conjunction with the accompanying drawings and tables, which disclose, by way of 
example, the principles of the invention. 

45 

3. ppigF PESCRIPTIQN QFTHE DRAWINGS, 
[0020] 

so FIG. 1 is a simplified block diagram of the apparatus in accordance with the present invention, showing the Secured 
Processing Unit (SPU) for performing PDPS. 

FIG. 2 is a simplified block diagram of the Power Block shown in FIG. 1 . 
55 FIG. 3 is a schematic representation of the Silicon Firewall. 

FIG. 4 is a schematic representation of an embodiment of the Silicon Firewall shown in FIG. 3, 



3 



EP 0 965 902 A2 

m 5 is a schematic representation of an alternative embodiment of the Silicon F,re*a» shown in FIG. 3. 

FIG. 6 is a block diagram of the System Clock shown in FIG. 1 . 

FIG. 7 is a schematic representation of the Ring Oscillator shown in FIG. 6. 

FIG. 8 is a block diagram of the Real T.me Clock shown in FIG. 1 . 

FIG. 9 is a flowchart of the firmware process for performing the Inverting Key Storage. 

FIG. 10 is a schematic representation of the Inverting Key Storage. 

FIG. 1 1 is a block diagram of an embodiment of the Metallization Uyer Detector shown in FIG. 1 . 

FIG. 12 is a schematic representation of an attentive embodiment of the Metallization Uyer Detector shown in 

FIG.1. 

FiG. 13 is a schematic representation of a second alternative embedment of the Metallization Uyer Detector 
shown in FIG. 1 . 

FiG. 14(a) is a flowchart of the firmware process for performing the Cock Integrity Check. 
FIG. 14(b) is a flowchart of the firmware process for performing the Power Integrity Check. 
FIG. 15 is a flowchart of the firmware process for performing the Bus Monitoring Prevention. 
FIG. 1 6 is a flowchart of the firmware process for performing the Trip Wire Input. 
FIG. 17 is a flowchart of the firmware process for performing the Software Attack Monitor. 
FIG. 18 is a flowchart of the firmware process for performing the Detection Handler. 

FIG. 19 is a simplif ied representation of the stages of the Filtering Process, including correlating the detectors and 

selecting the responses. 

F.G. ^flowchart olthef^ 

the context of a simple SPU application; in th.s .nstance, usmg an SPU-equipped ^ « 
debit card. 

4 pPTAILED npRHRIPTION. 

„ fton^rai Architecture. 

,00*1, . Allege architecture^ 

i^m^^ 

[0022] Referring to FIG. 1 , the gross features J^^iiSSSJ^w regrouped in order to gain a bettercon- 
be a literal description of the SPU layout, as Micro Controller 3 is isolated from 

ceptual understanding of the princp es ^^^T^^^ Z* * e general purpose I/O Port Block 1 
all off-chip input - such input regulated by the ExternaM Bus ' nt ^ ce ^ 9 from ^ 9 orvboard ROM Block 7. In one 
-instead receiving programme* commands v« an Interna, ^Jjj^jj^ RAM Block 8 „ con figured at 4 
embodiment, the ROM Block 7 ,s co ^Je SPU peripherals, such asthe address and 

KBytes. The Interna. System Bus 1 ^«S2SIS*S3S» Controller clock signal. CTTL 25. 
data lines, read and write strobes. oscillator, and is the source, through 

[0023] The System Clock Block has a PW^W ^thTgcverS all peripheral functions. 
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architecture, and which builds upon and significantly enhances the UNIX time format (UNIX time being the number of 
seconds elapsed since January 1 , 1970). The Real Time Clock 5 is implemented through a binary ripple counter which 
is driven via RTCLK 29 by an off-chip external 32.768 KHz quartz crystal 14 in conjunction with RTC Oscillator 14 cir- 
cuitry. Through an offset in battery-backed RAM 8. for example, the Real Time Clock 5 provides UNIX time, and can 
5 implement a host of time-based functions and time limits under ROM Block 7 program control. One firmware routine 
stored in the ROM Block 9 cross-checks the System Clock 2 and Real Time Clock 5 so as to overcome tampering with 
the latter. 

[0025] The I/O Port Block 1 is a general-purpose programmable input/output interface which can be used to access 
off-chip RAM, and meet general I/O requirements. Off-chip RAM (not shown) would be typically used for information 

io that cannot be accommodated internally but, for security and performance reasons, still needs to be closer to the SPU 
than main system memory or disk storage. This information may be protected by modification detection codes, and may 
or may not be encrypted, depending on application requirements. In addition to serving as a memory interface, several 
signals on this port can be used to implement cryptographic alarms of trip wire inputs, or even to zero inputs or keys. 
[0026] The External Bus Interface Block 9 is the communications port to the host system. In one embodiment it is 

is the means for getting the application commands as well as data to and from the SPU, and is designed to match the ISA 
bus standard requirements. 

[0027] The Power Block 13 switches between system and battery power depending on system power availability. 
Power from an external battery (not shown) is supplied to the RTC Block 5. the RAM Block 8 and a Status Register 11 
through VPP 24, as well as off-chip RAM (nor shown) through VOUT 23 when system power is not available. The Power 
20 Block 1 3 also provides signals PWRGD 27, DLY_PWRGD 26 and CHIP_P WRGD 28, which, respectively, start the Sys- 
tem Clock 2, reset the Bus Controller 4 and enable the isolation of the battery-backed parts of the circuit from the non- 
battery backed parts through the Power Isolation 12. 

[0028] A Silicon Firewall 20 protects the internal circuitry from any external asynchronous or otherwise anomalous 
signals, conditioning the inputs from the I/O Port Block 1 via PIN lines 32 or the External Bus Interface 9 via 

25 ADDR/DATA lines 33, the RESET 30 to the Bus Controller 4, as well as from a host of security detectors. Some inter- 
nally generated signals, such as the output of the Real Time Clock 5, are similarly conditioned. 
[0029] The Status Register 1 1 is the repository of all hardware detector signals arrayed through the device to detect 
various attempted security breaches. Detectors may include a Photo Detector 16, Temperature Detector 17, Metalliza- 
tion Layer Detector 18 and any Additional Detectors 1 9 (represented in ghost), for example: high/low voltage detectors, 

30 vibration detectors, sand detectors. Each of these detectors may convey one or more bits of information which, in one 
embodiment, are stored in the Status Register 1 1 . The Status Register 1 1 may also store internally generated signals, 
such as the ROLLOVER 34 signal from the Real Time Clock 5 and the Valid RAM and Time (VRT) bit. used to verify 
the integrity of the information stored in the RAM Block 8 and the time counter in the Real Time Clock 5. 
[0030] In one embodiment, a DES Engine 6 is provided as a cryptographic engine to encrypt and decrypt data using 

35 its DES algorithm. Alternative embodiments of cryptographic engines may be implemented entirely in hardware or in a 
combination of hardware and software, and may use other cryptological algorithms, including RSA or secret algorithms 
such as RC2, RC4. or Skipjack or combinations thereof. The DES Engine 6 receives keys and data for the crypto- 
graphic process from the RAM Block 8 under the control of the Micro Controller 3. The data used could be application 
data supplied from the External Bus Interface 9 or protected data from the RAM Block 8. The DES Block 6, in one 

40 embodiment, performs a decryption of a 64-bit block in 18 clock cycles. Thus, with an SPU rated at 20 MHz, a single 
decryption will take approximately 90 ns. which amounts to a decryption rate of 8.9 Mbytes per second. 
[0031 ] Typically, the SPU receives "messages" in encrypted form. The cryptographic engine (e.g. DES Engine 6) uses 
keys, for example, "session keys" specific to a particular application transaction or "session". The cryptographic engine 
is thus used to encrypt or decrypt the messages, or perform other cryptographic operations as is well-known in the art. 

45 In addition to providing secure message transfer, the SPU also provides secure key transfer. By having, or indeed even 
generating a "master key" internally (using any of the well-known key generation techniques for public or secret key 
algorithms), the SPU can receive session keys in encrypted form and, treating them like messages, decrypt them with 
the cryptographic engine using the master key. Conversely, the SPU can encrypt and send messages in a secure man- 
ner. The master key, the decrypted session keys and other sensitive information (e.g. the encryption/decryption algo- 

50 rithms) are stored in secure rewritable memory on the SPU, as described below. 

I. Power Block. 

[0032] The security requirements of the SPU impose special requirements on the power supply. As the Real Time 
55 Clock 5 is used to maintain accurate time and the RAM 8 is used to store and maintain information, both for the field life 
of the product, each must have a continuous source of power, VPP 24, which here is supplied by the Power Block 13. 
[0033] Referring now to FIG. 2, the battery VBAT 21 and system VDD 22 voltages are supplied to the Power Switching 
Circuit 101. This circuit uses a conventional analog comparator to determine the higher of the two voltages, VDD 22 
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and VBAT 21 , and provide such voltage as VPP 24 to the internal circuitry and as VOUT23. which could be used as a 
voltage supply for off-chip RAM, for example. The Power Switching Circuit 1 01 also provides a PWRGO 27 signal, which 
is used to indicate whether the entire SPU chip is powered through VDD 22 (the high state), as opposed to only Ihe 
battery-backed sections being powered via VBAT 21 (the low state). In one embodiment, the threshold totaawMnt 
when VDD 22 exceeds 1 .2 times VBAT 21 . If the external battery is dead. VBAT 21 is effectively zero, and PWRGD 27 
goes high as soon as VDD 22 is turned on. 

[00341 The PWRGD 27 signal, as not originating from the Internal Data Bus 1 0. would represent a security risk within 
the circuitry inside the Silicon Firewall 20, if left untreated. However, unlike other signals that are passed through the 
Silicon Firewall 20. PWRGD 27 is used to start the System Clock 2. as discussed below, and thus cannot be condi- 
tioned and synchronized by the Silicon Firewall 20 in the manner those other signals are treated. Thus, the Power 
Switching Circuit 1 01 conditions the PWRGD 27 signal by a low-pass filter, which acts as a "glitch eater to prevent any 
rapid changes in the resultant PWRGD 27 signal and give it a sufficiently narrow bandwidth as to admit to the internal 

IOWs/ Two counters. PWRUP Counter 102 and PWRDN Counter 103 are provided to produce DLY.PWRGD 26. a 
delayed version of PWRGD 27, as clocked by the system clock CTTL 34 signal. These counters may be converrtonal 
devices as is well known in the art In one embodiment, this DLY.PWRGD 26 signal is used as an input to the AND gate 
31 incident to the Bus Controller 4. as shown in FIG. 1 . thus assuring the SPU is always powered up in the reset state. 
The DLY_PWRGD 26 and PWRGD 27 signals are combined through an AND gate 114 to produce another signal. 
QUIP PWRGD 28 

{00361 The CHIP_PWRGD 28 signal is provided to prevent current flow from the battery-backed circuitry to the rest 
of the circuit that is not powered when the system power VDD 22 is removed, and thus allow for the orderly shutdown 
of the non-battery-backed sections. This signal acts as an early detection system for the system power going away 
Referring to FIG 1 the CHIP_PWRGD 28 signal is used by the Power Isolation Circuit 12 which isolates the inputs and 
outputs of the Real Time Clock 5. RAM 8 and Status Register 11 from non-battery-backed sections d ■*» chijx 
CH IP PWRGD 28 is conditioned in the manner of the Silicon Firewall 20 described below; this process has the added 
advantage of preventing any invalid writes to the RAM 8 or Real Time Clock 5 when the power <^"™«"2"£ 
[00371 As described above, the DLY_PWRGD 26 signal may be used as a reset However, if the PWRUP Counter 1 02 
is powered up in the wrong state, it may affect the reset operation of the rest of the device. The state machine , rt 
PWRUP Counter 1 02 could power-up in a state of continual reset owing to the dual requirements of powering tip without 
reset and delaying the stopping of CTTL 34 clocking upon power down. To overcome this problem, a separate anatog 
circuit VccPUD 104 is provided, with inputs SET.PWUP 110 and CLR.PWUP 1 11. which respectively, set and dear the 
output VCCPWUP 107. The V^PUD 104 circuit also monitors VDD 22 such that VCCPWUP 107 will also clear if VDD 
22 falls below approximately 2V. In this embodiment. VDD 22 is supplied by the Power Switching Circuit 101 via VREF 

[00381 The operation d the PWRUP Counter 102 and PWRDN Counter 103 in conjunction with i V«PUD 104 isthus 
as follows. On power up. unti. the system power VDD 22 comes up above IJttmes VBAT 21 . VCCPWUP 112 ads as 
a reset to PWRUP Counter 102 and PWRDN Counter 103; afteiwards PWRGD 27 and consequently VCCPWUP 112 
will come up. triggering the start d the PWRUP Counter 102. Seven clock cycles later, as clocked by CTTL 34. the 
DLY PWRGD 26 and CHIP_PWRGD 28 signals will go high. Conversely, when VDD 22 comes down, before it dips 
below 2V it will drop below 1.2 times VBAT 21, thus PWRGD 27 will go low, starting the PWRDN Counter 103 v» 
inverter 108. Eight clock cycles later, the PWRDN Counter 103 will trigger the SHUTDOWN 113 signal which wrtl acti- 
vate CLR PWUP 111 causing VCCPWUP 112 to go low, resetting the PWRDN Counter 103 via AND gate 107 and 
the PWRUP Counter 102 via inverter 109. Thus, if the PWRGD 27 signal is lower for longer than seven dock cycles the 
entire device is reset as if power has been completely removed. This delay takes into account transients in the power 
supply where VDD 22 goes high but dips below 2V briefly before returning to an acceptable level. 

II. Alarm Wake Up. 

[0039] One embodiment of the present invention disables detedion capability when the SPU is running on battery 
power VBAT 21 only. In an alternative embodiment, in the absence of system power, VDD 22, non-battery backed parts 
of the SPU are temporarily powered through VBAT 21 . As represented in ghost in FIG. 1 . H any detector tr.ggers a«g- 

nal, the OR gate 39 would send an ALARM 38 signal to the Power Block 13. ti eB11 .... . 

[00401 With further reference to FIG. 2, if VBAT 21 alone was sufficiently high to power the whole SPU asurtably mod- 
ified Power Switching Circuit 101. would upon triggering by the ALARM 38 signal: (0 generate a PWRGD 27 signal 
much as seen bdore: (ii) generate a new signal, APWRGD 40. to indicate that the SPU was operating under alarm- 
triggered "emergency power; and (iii) switch VREF 115 from VDD 22 to VBAT 21 so as n °t *o interfere with ^fjj*^^" 
ing up process In the continued absence of adequate VDD 22, a SLEEP 41 signal received by the Power Switching 
Circurt 101 would make PWRGD 27 and APWRGD 40 go low. switch VREF 115 backto VDD 22. and so trigger a power 
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down much as seen before, 
ill. Silicon Firewall . 

5 [0041] A common assumption, when defining a security model, is that everything inside a system is protected while 
everything outside is not protected, in any effort to plan for security features, it is crucial to establish a clear understand- 
ing of the system boundary and to define the threats, originating outside the boundary, against which the system must 
defend itself. In the case of the SPU, the system boundary is the silicon boundary, or equivalent^, the pins of the SPU 
package. The components inside the system boundary are of two types: those responsible for maintaining the security 

io of the system; and, those responsible for performing other functions. Separating the two types of components is the 
boundary called the security perimeter, with the area between the security perimeter and the silicon boundary called 
the silicon firewall. The silicon f irewall's role is thus to defend the security perimeter. One aspect of this role, for exam- 
ple, is to prevent asynchronous inputs from outside the security perimeter reaching inside untreated; such inputs may 
drive the system into unpredictable and uncontrollable states. 

is [0042] The Micro Controller 3 is one of the least trusted components in the SPU, precisely because it is difficult to 
verify all the multitudinous states of a micro controller. Consequently, the Micro Controller 3 in a SPU should be pro- 
tected from asynchronous or otherwise abnormal inputs, i.e., signals which are outside the normal operating mode of 
the Micro Controller 3. Examples of abnormal inputs are signals which have disallowed input levels (e.g., signals which 
have neither valid high nor valid low logic levels) and signals which have timing transitions which are out-of-specif ica- 

20 tion. Not only do input signals external to the SPU need treatment, but all internal signals which are asynchronous to 
the Micro Controller must be treated by special protection circuitry. 

[0043] A common technique to prevent asynchronous and abnormal inputs is to equip all inputs to a semiconductor 
chip with Schmitt trigger devices coupled with latch circuits, which thereby ensure that signals cannot change state 
while they are being sampled by the semiconductor chip. However, it is difficult to fabricate Schmitt triggers. Further- 

25 more, Schmitt triggers are slow because of hysteresis effects. The SPU according to the present invention uses a "Sil- 
icon FirewalP design to protect all interfaces to the Micro Controller 3. One of the designs of the Silicon Firewall involves 
a state machine. FIG. 3 shows one embodiment of a state machine 71 0 which could be used as a Silicon Firewall. State 
machine 710 comprises a data register 712, the state of which is controlled by a clock 714. In this embodiment, state 
machine 71 0 operates as a four t-state machine. During any time other than tl , data is locked out of data registers 71 2. 

30 In t1 , input data (if available) is latched into an input port 716 of data register 712. However, data is not available to the 
output port 717 of data register 712 until t3. Consequently, any metastable states of the input data are nullified by the 
two t-cycle delay. 

[0044] FIG. 4 shows an embodiment of a data register 720 which can be advantageously used in state machine 710. 
Register 720 comprises two D flip-flops 722 and 724. The output terminal 726 of flip-flop 722 is coupled to the input 
35 terminal 727 of flip-flop 724. A clock signal is sent to the clock terminals 728 and 729 of flip-flops 722 and 724, respec- 
tively, along line 730. 

[0045] When an external signal, which is generally asynchronous, is applied to the input terminal 732 of flip-flop 722, 
its state (high or low) is latched into flip-flop 722 only at the rising edge of the first clock pulse. This state is kept the 
same until the rising edge of the second clock pulse. As a result, the output signal at terminal 726 of flip-flop 722 
40 remains at the same state from the rising edge of the first clock pulse to the rising edge of the second clock pulse, 
regardless of the state of the input signal between the two rising edges. 

[0046] The state of the output terminal 726 of flip-flop 722, which corresponds to the external signal at the rising edge 
of the first clock pulse, is latched into flip-flop 724 at the rising edge of the second clock pulse. Consequently, the output 
terminal 734 of flip flop 724 will have a state equal to the state of the external signal at the rising edge of an earlier clock 
45 pulse. 

[0047] It can be seen from data register 720 that the input is sampled at a time determined (i.e., synchronized) by the 
clock pulses. In addition, any abnormal signal is filtered by flip-flop 722. Consequently, the signal connected to the 
embedded controller is a normal and synchronized signal. 

[0048] FIG. 5 shows an alternative embodiment of a data register 740 which can be advantageously used in state 
so machine 710. Data register 740 consists of a multiplexer 742, a D flip flop 744, a buffer 746, and a device 748 for gen- 
erating a clock signal having four t-states in response to an input clock signal on line 750. The output of multiplexer 742 
is connected to the input of D flip flop 744, and the output of D flip flop 744 is connected to the input of buffer 746 and 
one of the input terminals of multiplexer 742. The other terminal of multiplexer 742 is connect to an external signal (typ- 
ically asynchronous). Device 748 generates a clock signal on line 752 which controls multiplexer 742 such that the 
55 external asynchronous signal on line 758 is coupled to D flip flop 744 only at time tl . Device 748 also generates a clock 
signal on line 754 which controls buffer 754 such that the output signal of D flip flop 744 passes through buffer 746 only 
at time t3. As a result, the signal on line 756 is synchronized* 
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iv. Internal System Clock . 



[0049] A system clock compatible with PDPS faces a series of design considerations: cost, governmental regulatory 
compliance, printed circuit board area, power consumption and last, but most important, security. The desire for high 
performance places a premium on clock speed, which is directly proportional thereto. 

[0050] The cost of clocking circuits increases with frequency, and external clocks may represent a sizeable fraction of 
the entire manufacturing cost. The greater the physical extent of the high-frequency circuitry, the greater the high-fre- 
quency EM emissions, resulting in both a problem for security as well as meeting FIPS 140-1 requirements. EM emis- 
sions can give surprising amounts of information to sophisticated attackers - by analyzing the power spectrum, one 
might even deduce which type of algorithm is being processed at any particular time. As compared with an internal 
clock sitting right on the microprocessor, an external clock coupled to a microprocessor cannot be made to comply as 
easily with the FIPS 140-1 EMI/EMC requirements which impose limits on EM emissions. External clocking arrange- 
ments can use significant real estate on printed circuit boards and hence restrict design applications. The desire to 
reduce power consumption favors internal clocks: they can operate at lower voltages than external ones, which have to 
deal with high outside EM interference; and, they have smaller power dissipation capacitances owing to their smaller 
physical dimensions. Moreover, the presence of an external clock allows a potential chip attacker to manipulate the 
clock speed, a factor which may allow it to foil other security devices. 

[0051] Internal oscillators, of themselves, are not novel structures. One can find a programmable internal oscillator in 
Carver Mead and Lynn Conway, Introduction to VLSI Systems. Addison & Wesley (1980), pp. 233-236. Another exam- 
ple is a phase-locked loop circuit which locks upon an external low frequency reference, as described by Brian Case, 
"Sony & HDL Detail Embedded MIPS Cores", Microprocessor Report, vol. 7, no. 15, November 15, 1993. This outside 
link through an external reference is completely inappropriate in a security environment, however. 
[0052] Referring now to FIG. 6, the System Clock 2 is implemented using a standard 5-ciock-cycle shutdown, 5-clock- 
cycle enable, state machine once a change request has been detected. The Bus Interface and Decoder 151 selects and 
decodes three types of signals off the Internal Bits 10: the internal system clock signal CTTL 34 which is passed onto 
Power Block 13 as was illustrated in FIG. 1 ; a STOP_CLK 166 signal to stop the System Clock 2; and the 4 bit signal 
OSC FREQ 172. representing the programmed frequency for the Ring Oscillator 156 The OSC_FREQ 172 signal is 
stored in the Oscillator Control Register 152. and is fed into the Change Pulse Generator 153. The STOP_CLK 166 and 
PWRGD 27 signals are fed into AND gate 164, the output of which is fed into the Change Pulse Generator 153, AND 

gate 1 65, the set of entry latches 1 54, the Clock Edge Prohibit 1 55, and the resets for the D flip-flops 1 59 1 63. Thus, 

when the Change Pulse Generator 153 detects a change in any of its inputs, it generates a pulse 
CHANGE .DETECTED 1 67 which is latched onto the latch 1 58. The D flip-flops 1 59 163 act as a shift register, prop- 
agating the latched signal from latch 158 down the line in five clock cycles, the clocking generated by R ING_CLK_OUT 
1 70, the output of the Ring Oscillator 1 56. When the signal has propagated through the last D flip-flop 1 63, it generates: 
(i) an OPEN_LATCH 168 signal to the entry latches 154 and Clock Edge Prohibit 155: and (ii) a CLOSE_LATCH 169 
signal to the exit latch 1 57 and the AND gate 1 65, thus resetting the latch 1 58. 

[0053] The OPENJ.ATCH 168 signal, in conjunction with a high signal from the AND gate 164 will enable the Clock 
Edge Prohibit 155, which is a one-shot trigger generating a SHUTDOWN_CLK 171 signal for approximately 120 ns, 
allowing a new frequency to be programmed into the Ring Oscillator 156 without introducing transient glitches. At the 
same time, the CLOSE J-ATCH 1 69 signal will remain low for one clock cycle, resulting in the output SYSCLK 35 having 
a longer duty cycle for one clock cycle, and then the data in the Oscillator Control Register 225 will correspond to the 
output frequency of SYSCLK 35. 

[0054] The Ring Oscillator 1 56 itself will now be described. To compensate for the wide process variations introduced 
in manufacture, resulting in variances in individual clock rates over a wide range, the Ring Oscillator 156 is programma- 
ble to sixteen different frequencies of operation: 22 MHz, 23 MHz, 24.8 MHz, 26.2 MHz, 27.7 MHz, 29 MHz, 31 .9 MHz, 
34.3 MHz, 37.8 MHz, 40.2 MHz, 46 MHz, 51.2 MHz, 58.8 MHz, 64.9 MHz, 82.2 MHz and 102.2 MHz. The particular 
nature of the Micro Controller 3. as well as concerns for the operational compatibility with the ROM 7, dictated that these 
nominal frequencies be divided by two before the signal leaves the Ring Oscillator 1 56 and is provided to the Micro Con- 
troller 3 via SYSCLK 35. . 
[0055] Referring now to FIG. 7(a), one can see that this aforementioned frequency division is accomplished by tne u 
flip-flop 210 whose output is RING_CLK_OUT 170. The OSC_FREQ 172 signals are supplied in pairs to one of two 
multiplexers MUX1 204 and MUX2 208. The output of MUX2 208 is fed to the D flip-flop 210 clock input and the NAND 
gate 209 The SHUTDOWN_CLK 1 71 signal is fed to the D flip-flop 210 reset and the NAND gate 209. Blocks 201 . 202, 

203 205 206 207 are chains of inverters, represented in FIGS. 4(b). 4(c). 4(c). 4(d). 4(e) and 4(e). respectively. 
Depending on the state of the OSC.FREQ 171 signals, from (0.0.0.0) to (1 .1.1.1). asserted on the multiplexers MUX1 

204 and MUX2 208, the results yield an effective circuit varying in the number of inverters. In FIG. 7(b) a chain of 8 

inverters 211 218 is shown, each connected to VPP 24 through capacitors 219 226. These capacitors act to 

swamp all routing capacitance through the circuit. Similarly, FIG. 7{c) shows the corresponding 4 inverter chain, with 
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inverters 227 and capacitors 231 234. FIG. 7(d) shows the 2 inverter chain with inverters 235 and 236, capacitors 

237 and 238. Finally, FIG. 7(e) also shows two inverters 239 and 240, but with only a single capacitor 241 attached to 
the output of the second inverter 240. Two inverters are required in this last case, because an even number of inverters, 
in conjunction with the NAND gate 209, is required to give the ring a net overall inversion, sustaining the Ring Oscillator 

$ 1 56. It is the combined propagation delays through all the inverters, the NAND gate 209 and the multiplexers MUX1 204 
and MUX2 208 which generates the 1 6 different frequencies of the Ring Oscillator 1 56 listed above. 
[0056] At manufacturing time, the frequency selected is based on calibration with an established time standard. This 
standard may be provided by the Real Time Clock 5, or by "Start" and "Stop" time commands timed and sent from a 
trusted system. Using the Real Time Clock 5 provides the optimal calibration input. This calibration is accomplished at 

10 the same time secret keys are installed and can only be done in the manufacturing mode. The final set frequency, as 
read from the lowest four bits of the Oscillator Control Register 152, is stored in the battery-backed RAM 8 or some 
other non-volatile memory. Each time the device is reset, or power is applied, the device assures itself that the final set 
frequency stored in non-volatile memory is correct by using modification detection codes, as described below. If the 
final set frequency is correct then it is loaded into the lowest four bits of the Oscillator Control Register 225 thus re- 

is establishing the optimal operating frequency of the Ring Oscillator 1 56. If the final set frequency is incorrect, as stored 
in the non-volatile memory, then no value is loaded into the Oscillator Control Register 225, thus leaving it at its reset 
value. Leaving the Ring Oscillator 156 at its reset value, which is the lowest programmable frequency, ensures proper 
operation of the device even under conditions of non-volatile memory. For example, it assures that the internal Micro 
Controller clock input SYSCLK 21 6 is never driven at too high a frequency, which could lead to malfunction and possible 

20 security breach. 

v. PePl-Tlme Clock- 

[0057] For the reasons disclosed above, as well as an innate temperature variability of about 30% over the SPU's 

25 operating range, the System Clock 2 represents a secure but somewhat inaccurate timing device, suitable for internal 
clocking of the Micro Controller 3, but not for keeping UNIX time or to control timed and time-of-day events. 
[0058] Referring to FIG. 1. the RTC Oscillator 14 is designed to produce a 32.768 KHz signal. RTCLK 29. through 
use of an external quartz crystal 15. Alternatively, one could bypass the RTC Oscillator 14 and generate RTCLK 29 
through an external clock. OSC_ON 42 allows the oscillator to be stopped even though battery power is applied to the 

30 device. This prevents drain on the battery, as for example, while the system is in inventory before it is sold. The output 
RTCLK 236 from the RTC Oscillator 241 is used to drive the Real Time Clock, as described below. 
[0059] With reference to FIG. 8. the Real Time Clock 5 consists of a binary Ripple Counter 302, a Bus Interface and 
Decoder 301 , and a Synchronization Block 303. The Ripple Counter 302 may be a conventional shift register array with 
15 bits allocated to counting fractions of seconds, output via SFC 306, and 32 bits allocated to a seconds counter, out- 

35 put via SC 307. The value of SC 307, when combined with an offset in the local battery-backed RAM Block 8, produces 
the sought-after UNIX time. The final carry-over in the Ripple Counter 302 produces the ROLLOVER 34 signal. 
[0060] The Bus Interface and Decoder 301 interfaces with the Internal Bus 10 and supplies the system clock CTTL 
25, the aforementioned OSCON 42 signal, and signals CLEAR_RTC 304 and CLOCK_RTC 305. CLEAR_RTC 304 is 
used to reset the Ripple Counter 302. CLOCK_RTC 305 allows the Micro Controller 3 to clock the Ripple Counter 302 

40 without resorting to RTCLK 29. and thus permits testing of the device. 

[0061] As RTCLK 29 is an external asynchronous signal, the resulting signals SFC 306, SC 307 and ROLLOVER 34 
need to be treated by the Synchronization Block 303, in the manner of the Silicon Firewall described earlier. Thereafter, 
the SFC 306 and SC 307 signals may be appropriately channeled through the Internal Bus 10 in response to polling by 
the Micro Controller 3. The use of the ROLLOVER 34 signal will be discussed in the context of the Rollover Bit dis- 

45 cussed below. 

[0062] In accordance with the alarm wake-up feature of the alternative embodiment discussed above, a Countdown 
Counter 308 (represented in ghost) is set by the Micro Controller 3 via counter control signals sent on the Internal Bus 
1 0, decoded by the Bus Interface and Decoder 301 and transmitted via line(s) 31 0. Thus, when the Countdown Counter 
308 accomplishes a predetermined count, as clocked off the Ripple Counter 302 signals SC 307 or SFC 306, it would 
so issue an ALARM 38 signal in the same manner as described above. In addition, the ROLLOVER 309 signal, passed 
through OR gate 309, may provide the basis of another wake up signal via ALARM 38. 

vl. Inverting Key Storage. 

55 [0063] It is desirable to place secret information (e.g., the decryption key) in the volatile, or generally, re-writable mem- 
ory of the SPU. The secret information will be destroyed if power to the SPU is turned off. On the other hand, if the 
secret information is placed in non-volatile memory, an attacker can remove the SPU and at his leisure and by conven- 
tional means examine the information in the non-volatile memory. 
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(0064] If secret information is not loaded into the vo.af.te memory proper., «, f^^^i 

°oS Vis'so possible to implement an inverting Key .^ K ^^^^^^«^^ 

used to put the call. 824 and 825 in a toggl SEl £ OnXJK^ Wo memory cel. 824. When 
tnesfa.^ 

^e sTgnal on Hne 836 indicates whether the output on line 839 is the ongmal or the .nverted s.gnal. 
35 vii. firittittonal Security F eatures. 

[0068] in addition to the features described above. ^^TSSSS^ SSSS KSE£ 
ways. For example, the physical coating disclosed ,n app.^ Ser ^^^^S he?ein by reference, has 

achh* aw me Km p« 5«SSS^1SS^S?S- and «< « 



-Secure Non-Volatile Memory can ^eo EE PROMc eU providing protection against external detection of the 

50 described earlier (FIGS. 9,10). 
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age removal, or de-encapsulation, will thus likely expose the die to ambient light, even if inadvertently on the attacker's 
part. Detecting such light could act as input information for suitable responsive countermeasures to take place. 
[0071] The construction of a light-sensitive device can be implemented in many standard CMOS processes without 
any extra masks or steps. For example, lightly doped N-type material exhibits a conductivity proportional to the amount 
s of light to which the material is exposed. 

[0072] Referring to FIG. 1 , the Photo Detector 16 signal passes through the Silicon Firewall 20 before setting a bit in 
the Status Register 11. A plurality of such detectors may be placed at strategic places within the SPU, which may be 
used to localize and further characterize the nature of any intrusion. 

w ii. Hiph/Low Te mperature Detector. 

[0073] The normal temperature operating range for the SPU is 0°C to 70°C. Any temperature above this range, in 
most applications, might well be considered to be the result of an intrusion attempt by an attacker, as for example, the 
heat generated by grinding away at the chip's outer layer. A substrate diode, well-known to the art. should be sufficient 
75 for detecting temperature changes, although any other comparable device known to those of ordinary skill in the art for 
performing temperature measurement should suffice. 

[0074] With reference to FIG. 1, the Temperature Detector 17 signal passes through the Silicon Firewall 20 before 
setting a bit in the Status Register 11 . Nothing in accordance with this invention precludes a multi-bit field characterizing 
a temperature scale, or a plurality of such detectors, to characterize any temperature differentials within the SPU. 

20 

iii. Metallization Layer. 

[0075] Modern day integrated-circuit analysis equipment is able to probe the contents of an integrated circuit while 
power is applied to the circuit. As a result, it is possible to detect a key, or other secret data lor that matter, which is 

25 stored in volatile memory. One way to protect the secret key is to cover the key with a metal layer which is able to deflect 
probing signals directed thereon. However, this metal layer could be removed or altered fairly easily by an attacker. Con- 
sequently, protecting the key through the use of a metal layer, as contemplated in the prior art. is rather ineffective. 
[0076] One way to enhance the security of the metal layer is for the SPU to contain means for detecting any alteration 
of the metal layer which covers the key, or any particularly sensitive data for that matter. The SPU can then take actions 

30 to respond to the alteration. One embodiment of the invention is shown in FIG. 1 1 . The metal layer is divided into many 
metal traces, shown in FIG. 11 as parts 852-857. Each trace is connected to an output pin of a latch 860 and an input 
pin of a latch 862. These two latches are connected to the system bus 868, which is in turn connected to the Micro Con- 
troller and the memory. They are also connected to the Status Register 11 . Traces 852 and 853 pass over a first area 
864, traces 854 and 855 pass over a second area 865, and traces 856 and 857 pass over a third area 866. 

35 [0077] During a system bus cycle, the individual output pins of latch 860 are driven to either a logic high or a logic low. 
depending on the value of a random number generator (either implemented in hardware or software). As a result, the 
traces 852-857 should be set to a corresponding logic high or a logic low value. At a later bus cycle, latch 862 latches 
in the logic levels of traces 852-857. If any of the latched logic levels are different from the logic level originally driven 
by latch 860, it is assumed that an attack has been mounted on the SPU. 

40 [0078] Another embodiment of the invention is shown in FIG. 12. The metal layer is again divided into many metal 
traces, shown in FIG. 12 as numerals 902-904. These metal traces are connected to a logic high potential. FIG. 12 also 
contains a plurality of AND gates, shown as numerals 906-908, and a plurality of memory cells 913-916. Each of the 
AND gates 906-908 has one input terminal connected to one of the traces 902-904 and one output terminal connected 
to one of the power lines 91 0-91 2 of memory cells 91 4-91 6. respectively. The other terminals of each of AND gates 906- 

45 908 are connected to power lines 909-91 1 , respectively. These power lines 909-91 1 could feed off VPP 24, for example. 
[0079] When the metal traces are in their normal condition, i.e., connected to a logic high potential, the inputs of the 
AND gates are in a logic high potential. Thus, all the memory cells are powered by the outputs of the AND gates. How- 
ever, if any one of the metal traces is removed, the output of the corresponding AND gate will be changed to a logic low. 
which turns off the associated memory cell. Since the output of an AND gate is connected to the input of an adjacent 

so AND gate, the output of the adjacent AND gate becomes a logic low, which turns off the memory cell associated with 
the adjacent AND gate. This sequence of events propagates until all the outputs of the AND gates become a logic low. 
As a result, all the memory cells are turned off resulting in the destruction of the data stored therein. This embodiment 
does not require any action of the Micro Controller and could amount to a last-ditch defense. 

[0080] A third embodiment of the invention is a LATN cell, shown in FIG. 13 as 920. LATN cell 920 is essentially a 
55 latch with a weak feedback path so that any intrusion in the cell will cause the cell to toggle. A control signal on line 925 
is applied to a transmission gates 924 and, through an inverter 926, to another transmission gate 924. As a result, only 
one of the transmission gates is turned on at a time. When transmission gate 922 is turned on, a data signal on line 927 
passes through an inverter 928 to output inverters 929 and 930. An inverter 931 is connected to inverter 929 in order 
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to provide an inverted output. When transmission gate 922 is turned off. the data signal is no] e«wj^ •» 
X farters. However the output signal retains its value because of the feedback provded by an .nverter 932 and 
transmission gate 924. * aa Hhork invPrter 932 

10081] One of the important features of the LAIN cell 920 of the present .rwrtjon ^J^SSSSSS^ 
has weak output power. Thus. H the LATN cell 920 is exposed to rad.at.on .ntroduced by a probe, the feedbacnpatn is 

SSSSSliS SSSSltain Layer itself provides a passfce defense to probing, as d.scussed below. 
Iy PT r R»im» B r rh and the Clock Integrity CHECK- 

££=S5E5SS=£SS33=z= 

n~£L 11 bv the ROLLOVER 34 signal. This rollover bit is configured to be read/write mask. i.e. it can only oe 

Next a fixed benchmark performance test is conducted 555. many oi tnese iypes o.w» « 
nS not be alluded to here. The important thing is that 

such length established during production time testing or alternately, clocked at nm Mbme tor me g 

its operational frequency, should provide the necessary c ™°™;^ degr^ 
♦emClock 2 allowing such a comparison. As described earlier, the System Clock 2 also exnions a consae 
%S££S temperature; thus, the time comparison ^*£^™£^Z^££ 
the comparison falls outside this tolerance, the security problem should be s.gnalled 559. but in either case p 

would then terminate 558. 
5 5 v . mot Security P 't Power Integrity Check- 

rO0881 The VRT Security Bit is provided to inform the system that both the battery and system P«^v«irolfr 
Sly S^SSS acceptable voltage, for example 2V. When that occurs, any volatile storage .nformation. as 
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well the time count in the Real Time Clock 5 may be lost. References to RAM 8 in this context will be deemed to include 
off-chip RAM powered by VOUT 23. Referring to FIG. 1 , the VRT bit may be implemented as a special bit in the Status 
Register 11, with voltage dejection circuitry tied to VPP 24, such as pull-up or pull-down resistors, designed to make the 
bit go low in the absence of sufficient voltage. Thus, the VRT bit is cleared by the Power Block 1 3, and is only set by the 

5 Micro Controller 3 via Status Read/Write lines 36. The VRT bit is used in conjunction with rewritable-memory modifica- 
tion detection codes on the RAM 8. to perform an overall integrity check on the battery-backed section of the SPU The 
modification detection codes may be any one of an assortment of suitable codes, as is well-known in the art from a 
simple checksum, to a cyclic redundancy check (CRC). to more elaborate algorithms such as MD5 owned by RSA Data 
Security, Inc., each affording different levels of security, compactness and error recoverability. For example, a simple 

10 checksum, while easy to implement, allows a large degree of freedom for an attacker to overwrite the contents of RAM 
8 while preserving the same overall checksum. Whichever modification detection code is used, the code result is con- 
ventionally stored along with the RAM 8 it is measuring. 

[0089] With reference now to FIG. 1 4(b), the general power integrity check process 251 will be described. As the SPU 
is powered up, the Micro Controller 3 performs the necessary initialization operations on the SPU 252. Then, the Micro 
is Controller 3 polls the Status Register 1 1 to ascertain the state of the VRT bit 253. If the VRT bit is set to 1 , a modification 
detection operation on the RAM 8 is performed 254. Then, the SPU determines if any modification has been detected 
255. If not, the SPU is said to be in its normal operating state, and thus should only implement commands that give 
restricted access to its secret data 256, and the process then exits 257. 

[0090] If a modification has been detected, the SPU is in an error state and so the security problem is signalled 258 
20 and the process exrt6 257. 

[0091] If the VRT bit is set to 0, a modification detection operation is also performed 259. If no modification is detected, 
the SPU is in a secure, albeit low power state; in other words, although the RAM 8 presently checks out, the power can- 
not be trusted and so this problem should be signalled 261 and the process exits 257. 

[0092] Finally, there is the scenario where modification was detected, yet VRT is 0 - this modification detection is 
25 spurious as the RAM 8 is in a random configuration, i.e. it is said to be in the manufacturing state. The following is a 
description of a response taken in one embodiment of this invention, and should not be read to preclude any number of 
possible responses in this state. In this one embodiment, the SPU could zeroize all secret data areas and use the 
default operational configuration parameters, such as the lowest System Clock 2 oscillator frequency, stored preferably 
in the ROM 7, to operate in the most trustworthy state 262. The SPU then could enter a mode whereby manufacturing 
30 tests may be performed and the configuration parameters may be set 263. Then, any manufacturing tests may be per- 
formed in order to guarantee the reliability of the SPU 264. Once those tests have been made successfully, the secret 
data, such as the keys, may be loaded, and a modification detection code performed on the entire contents of RAM 8 
and stored therein 265. Finally, the SPU will set the VRT bit to 1, putting it into the normal operating state 266. after 
which the process may exit 257. 

35 

vi. Bus Monitoring Prevention . 

[0093] With PDPS one is concerned with protecting secret information which, among other objectives, implies thwart- 
ing any attempt to monitor the internal data transactions that carry secret information. It is axiomatic that a device incor- 
40 porating PDPS must have input and output ports, taking in data, performing operations on this data using the internal 
secret information and then outputting the resulting data. If an integrated circuit could be altered in such a way that the 
secret information contained in the device could be extracted through an input or output port, or if a random failure 
within the device caused this to happen, then the PDPS system would no longer be secure. 

[0094] Prior solutions for keeping secret information have involved restricting such information to within the confines 
45 of a single integrated circuit chip, thus preventing an interloper with standard evaluation tools from monitoring inter-chip 
data traffic and thereby discerning the secret information. This confinement approach required a high degree of chip 
integration, in order that all functions needing the secret information are implemented on the same piece of silicon. Also, 
input and output ports of these integrated circuits would need to be disabled while secret information was being inter- 
nally transferred. 

50 [0095] The prior solutions relied on the difficulty in modifying already complete manufactured integrated circuits. This 
is no longer the case, as semiconductor evaluation tools have drastically improved in their sophistication and capabili- 
ties. It is now possible to modify parts of an integrated circuit without damaging the other parts or the chip's overall func- 
tion. Thus, a device which would keep its secret information on internal buses only, could now be modified to transfer 
that information to its input or output ports. This is a lot easier to implement than creating specially-made probes to tap 

55 into the internal bus. It should be repeated that even random failures within an integrated circuit have been known to 
result in a similar scenario. In both cases, therefore, monitoring the input and output ports would allow the secret infor- 
mation to be determined. 

[0096] The basis on which to combat this problem, in the present invention, is to create a mechanism internal to the 
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[0098] It should be noted that the use. or non-use. * ^J^^ESSw Controller 3 determines whether 
to FIG. 1 5. this process shall now be described ,n may be transferred on the Interna, 

secret data needs to be transferred onto the Internal Bus 10 ,n fj^^^i Bus 10 . the Micro Controller 
Bus 10 in the conventional manner 353. If secret data * o be JJJ^JJ™! In one ' embodiment, before 
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tained in or protected by the hardware device. 

[0103] A typical attack strategy is now described. An attacker would monitor the hardware and software operation of 
the components for some period of time during normal operation. As a result, the attacker could determine the normal 
command structure of the programmable components in the hardware device. The attacker would then create his/her 
5 own command sequences (e.g.. by slightly modifying the commands or the command operators, or even creating 
entirely different commands) based on the information obtained. The reaction of the components to these command 
sequences is then recorded, as thus building up a "characterization database." As the operation of the components 
becomes understood, the signals sent to the components are no longer random but are designed to identify commands 
that could defeat the security of the system. 
w [0104] It can be seen from the above attack strategy that the components in the hardware device, including the micro- 
processor, will receive a large number of invalid commands, at least during the initial phase of the attack. Consequently, 
one aspect of the present invention is for the SPU to detect the occurrence of an excessive number of invalid commands 
and to take appropriate actions to defeat or hinder the attack. One should bear in mind that some perfectly innocent 
functions generate a series of invalid commands, as for example, when a computer upon boot-up interrogates all 
is peripheral devices and ports to determine if they are present and active. 

[01 05] One means by which to measure an "excessive number" of invalid commands is to determine the number of 
invalid commands per unit time. The appropriate time unit can be determined by: (1) the rollover time of a counter driven 
by an oscillator, such as RTCLK 29; (2) a predetermined number of ticks of the Real Time Clock 5; or (3) a software 
timing loop. If the number of invalid commands per unit time exceeds a predetermined value ("limit parameter"), appro- 
ve priate action will be taken by the SPU. 

[01 06] In some situations, it may be preferable for the SPU to 6et several limit parameters, each having an associated 
action. FIG. 17 contains a flowchart 940 which includes four limit parameters. Note that the number of limit parameters 
is illustrative only, and any number of limit parameters may be used. The flowchart begins at step 940 and then sets the 
values of each of the four limit parameters 942. The flowchart then branches into a loop consisting of blocks 946-966. 
25 [0107] In block 946, the SPU determines whether a command is valid. If the command is valid, it is processed in the 
regular manner (block 948). The flowchart then branches back to block 946 to fetch and examine another command. If 
the command is not valid, flowchart 940 goes to block 950, which calculates the number of invalid command per unit 
time. The result of the calculation is compared with the first limit parameter (block 952). If the result is less than the first 
limit parameter, then no tamper-reactive action is taken, and the flowchart branches back to block 946 to process the 
so next command. If the result is larger than the first limit parameter, the process generates a signal indicating a first level 
security problem (block 954). 

[01 08] The flowchart then branches to block 956, which compares the number of invalid commands per unit time with 
a second limit parameter. If the number is less than the second limit parameter, then no additional action is taken, and 
flowchart 940 branches back to block 946 to process the next command then. If the number is larger than the second 

35 limit parameter, the process generates a signal indicating a second level security problem (block 958). 

[0109] The flowchart 940 then branches to block 960, which compares the number of invalid commands per unit time 
with a third limit parameter. If the number is less than the third limit parameter, no additional action is taken, and flow- 
chart 940 branches back to block 946 to process the next command. If the number is larger than the third limit param- 
eter, the process generates a signal indicating a third level security problem (block 958). 

40 [01 1 0] The flowchart 940 then branches to block 964, which compares the number of invalid commands per unit time 
with a fourth limit parameter. If the number is less than the fourth limit parameter, no additional action is taken, and flow- 
chart 940 branches back to block 946 to process the next command. If the number is larger than the fourth limit param- 
eter, the process generates a signal indicating a fourth level security problem (block 958). 

[011 1] It is of course up to the supervisory program to decide what steps to take in response to signals of the various 
45 limit security problems. The SPU can be programmed to take any or all appropriate actions. 

c. Programmable Security. 

[0112] The Programmable Distributed Personal Security System is based on the orchestration of three conceptually 
so distinct, but nonetheless, interrelated systems: (i) detectors, which alert the SPU to the existence, and help characterize 
the nature, of an attack; (ii) filters, which correlate the data from the various detectors, weighing the severity of the attack 
against the risk to the SPU's integrity, both to its secret data and to the design itself ; and (iii) responses, which are coun- 
termeasures, calculated by the filters to be most appropriate under the circumstances, to deal with the attack or attacks 
present. The selection of responses by the filters would be said to constitute the "policy" of the SPU. The present inven- 
55 tion permits a wide capability in all three of the detectors, filters and responses, allowing a great degree of flexibility for 
programming an appropriate level of security/policy into an SPU-based application. 

[01 1 3] The effectiveness of this PDPS trio is enhanced significantly by the other design features of the SPU architec- 
ture disclosed herein, for example: the Power Block 13, Power Isolation 13, Silicon Firewall 20, System Clock 2 and 
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present, in order to select the response R, 520. 

[01 1 9] By custom tailoring the correlation of the detector signals, as well as the selection of the responses, a program- 
mable security system can be application- as well as environment-specific. 

5 iii. Responses . 

[0120] The final system of PDPS involves the provision of a wide variety of responses, to allow for a rich and full set 
of countermeasures to any conceivable attack scenario. These responses can be categorized into five major groups: (i) 
passive; (ii) alarms; (iii) decoy activity; (iv) restriction of access; and (v) destructive. Examples of each are given in 
w TABLE I, which is meant to be an illustrative, but by no means exhaustive, list. 



TABLE I 



Examples of Typical Responses 




Passive 


Alarm 


Decoy 


Restricted Access 


Destructive 


• Non-response 

• Log attack inter- 
nally 


• Signal local compu- 
ter 

• Signal remote com- 
puter 

• Set I/O Port pin high 


• Random command 
response 

• Random external 
bus activity 


• Disable SPU for 
period of time 

• Require recertifica- 
tion 

• Disabling use of 
keys, passwords 


• Destroy keys 

• Destroy secret data 

• Disable SPU per- 
manently 



[0121] A passive response would be one where the SPU conveys no external signal, nor functions in any observable 
manner differently from its normal mode of operation. This would of course include the classic "non-response' 1 dis- 
cussed earlier, but also an on-board logging of the attack with, its type, timestamp. context, etc. 
[0122] An alarm response would indeed convey an externally detectable signal. The SPU may signal the calling apph- 

30 cation, for instance, to alert the user that the SPU is aware of the attack and may have to proceed to more drastic meas- 
ures if such attack is not discontinued. In a situation where the SPU is connected via a network or modem to some 
monitoring computer, as for example, in an information metering context, the SPU may signal that remote computer to 
tell that the local user is attempting to attack it. On the hardware level, an alarm may be implemented simply by setting 
a particular pin on the I/O Port 1 high. 

35 [0123] A decoy response is one that departs from the normal mode of SPU activity. It may indeed mimic valid SPU 
activity. Examples would be to execute SPU commands, or to generate signals on the External Bus Interface 9. either 
selected at random or from some predetermined set. 

[0124] A restricted access response would be to disable some functions from the normal mode of SPU operation. 
Examples include disabling the SPU totally for some period of rime or until recertified in some manner, or disabling 
40 operations involving specific keys or passwords. 

[0125] Finally, there is the destructive response, which disables functionality of the SPU permanently. Examples 
include destruction in memory, by erasing keys or other secret data, or permanent physical disablement, such as the 
burning out of internal fuses. 

45 d. Attack Scenarios . 

[0126] Now that the overall structure of the invention has been laid out. it is fruitful to describe in detail the various 
attack scenarios, the manner in which they are conducted, the information or effect they wish to achieve or access, the 
design features of the SPU that would thwart such an attack factors that are relevant in reacting to such attacks, and 
so finally, responses appropriate to such an attack. A summary of the applicable disclosed SPU features, detectors and 
responses is to be found in TABLE II. These scenarios are by no means exhaustive, but merely illustrative. All further 
references, unless specified otherwise, are to elements of FIG. 1. 
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TABLE II 





Summary of Attack Scenarios 


5 


Attack Type 


SPU Protective Feature(s) 


Triggered Oetector(s) 


Suggested Response(s) 




Electrical Attack on I/O 


• Silicon Firewall 20 


• Bus Monitor 


• Random command 




Ports 


• Alarm wake up 


• Trip Wire Input 


response 


10 






* Software Attack Monitor 

• Metallization layer detector 
18 


* Random externa! bus 
activity 

• Disable SPU temporarily 


15 






• Photo Detector 16 


• Disable SPU permanently 


Clock Attack 


• Silicon Firewall 20 


• RTC Rollover Bit 


• Use other clock ! 






• System Clock 2 


• Monotonicity test 


• Disable metering func- 






• Real Time Clock 5 


• System/Real Time Clock 


tions 


SO 






cross-check 








• Temperature Detector 17 






Key Attack 


• Battery-backed RAM 8 


• Metallization layer detector 


• Disable use of keys 






• Metallization layer 


18 


• Destroy keys 


25 




• Inverting key storage 


• Bus Monitor 

• VRT Security Bit 






Physical Attack 


• Physical coating 


• Temperature Detector 17 


• Disable keys, secret data 


30 




• Metallization layer 


• Photo Detector 16 


• Destroy keys, secret data 




Combination Attack 


• Any/all of the above 


• Any/all of the above 


• Any/all of the above : 




User Fraud 


• Silicon Firewall 20 


• RTC Rollover Bit 


• Signal Local -Computer 






• Power Block 13 


• Monotonicity test 


• Signal Remote Computer 


35 






• System/Real Time Clock 
cross-check 

• VRT Security Bit 


• Disable metering func- 
tions 

• Require recertification 



I. Electrical Attack on I/O Ports . 

[01 27] Arguably, the simplest form of attack would be an electrical attack on the I/O Port 1 . This type of attack requires 
very little special hardware. The attacker simply uses the same system configuration that is used in the normal applica- 
45 tion, however instead of using the intended software, the attacker creates his own code to interrogate the device. The 
attacker could go one step further and place monitoring equipment on strategic points in the circuit, as for example, the 
SPU pins or PAL outputs. This would allow the attacker to more thoroughly characterize the chip in its normal operation, 
and when it is under attack. 

[01 28] The typical approach would be to monitor the hardware or software for some period of time during normal oper- 
so ation. From this the attacker could determine the normal command sequence. After this characterization, the attacker 
could then create his own command sequences based on the information he has obtained. He could try to slightly mod- 
ify the commands or the command operators to get the device to perform different functions. He might also try to issue 
commands that he did not see before to see how the device would react. All during this process the attacker would be 
recording the responses to the different stimuli. As patterns are detected, the data that is issued to the device is no 
55 longer random but designed to further evaluate the particular operation. This continues until a particular operation is 
fully characterized. It would be the attacker's intention to identify commands or responses that could defeat the overall 
system. For example, the attacker might be looking for a reset operation command, and could then issue such com- 
mand at inappropriate times. 
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[0129] The Silicon Firewall 20 would prevent asynchronous signals from the attacker overwhelming the system. The 
Software Attack Monitor (FIG. 17) would be very sensitive to the overall characterization process. Possibly appropriate 
responses, in accordance with the measured stages of the Software Attack Monitor, would be to lead an attacker astray 
with random responses, or eventual disablement of the SPU. 

5 

li. Clock Attack . 

[01 30] Many applications of the SPU could employ the Real Time Clock 5 advantageously, as for example in informa- 
tion metering. However, the Real Time Clock 5 could be attacked in a variety of ways. The external crystal 15 could be 

io substituted to modify the frequency of the RTC Oscillator 15 and hence the internal Real Time Clock 5. The SPU is 
designed to perform integrity tasks, one of which is to check the Real Time Clock 5 against the System Clock 2 to see 
if it is operating in the correct range (FIG. 14(a)). However, in one embodiment, these integrity tasks would be per- 
formed only when the entire system is powered; when system power VDD 22 is removed, when only the battery-backed 
Real Time Clock 5 remains operational. It is at this opportunity that an attacker could attack the external crystal 15 with- 

75 out immediate detection. As the Real Time Clock 5 uses a simple binary ripple counter, an attacker could advance the 
counter until it rolled over. Subsequently, the attacker could continue to run the clock forward to whatever given time 
reading he wished. This is analogous to the resetting of the odometer of a used car by an unscrupulous dealer. 
[0131] The inaccessibility of the Internal System Clock 2 to attack, and the Real Time Clock 5 buffering the time signal 
through an internal Silicon Firewall, certainly stand as barriers in the attacker's way. The System Clock/Real Time Clock 

20 cross-check of FIG. 1 4(a) would detect any switch on power ip. If an attacker tried to set the System Clock 2 off by cool- 
ing or heating the SPU, the Temperature Detector 17 would give such approach away, as well as a clock cross-check, 
hitherto successfully, eventually failing for falling outside the operational tolerance. Furthermore, an attacker attempting 
to rollover the Real Time Clock 5 would cause the ROLLOVER 34 signal to go off. A possible response would be to use 
the System Clock 2 to whatever extent possible in lieu of the Real Time Clock 5 should that clock prove untrustworthy. 

25 However, that option is highly application-dependent, in an information metering context. A more likely response would 
be to disable all metering functions. 

Hi. Key At ta ck - 

30 [0132] Secret information is stored in volatile memory, such as RAM 8 within the SPU, rather than ROM 7. This is 
done to prevent an attacker from gaining access to this information by simply de-encapsulating the SPU chip and "read- 
ing" the schematic. However, when keys or other such secret information are stored in volatile memory within a chip, 
one can deprocess the chip and detect residual charge in the volatile memory which may reveal the contents stored 
therein. The act of deprocessing would cause power to be removed from the volatile memory, thus causing the data 

35 within the memory to be lost, as the charge decays within the semiconductor. However, if the volatile memory contains 
the same data for a protracted period of time, charge may build up in the dielectric portion of the memory cell, charge 
which may be feasible to detect despite removal of power. Also, it may be possible to artificially age the memory device 
by elevating the voltage and changing the operational temperature of the silicon, thus making the SPU even more sus- 
ceptible to this memory effect. 

40 [01 33] As described earlier, the Inverting Key Storage (FIGS. 9, 1 0) feature would thwart such key attack by averaging 
out any residual charge. The de-encapsulation process would be rendered more difficult by the presence of the Metal- 
lization layer, and the Metallization Layer detector 18 would be set off the moment such layer was cut. The protocol of 
the Bus Monitor Prevention (FIG. 15), transferring only parts of keys from RAM 8 to the DES Block 6 via Internal Bus 
1 0 would hinder tracing the keys, as well as giving away such attempts. Possible responses might be to disable the keys 

45 or other secret data from use, or where the security concerns are very high, or the assault unrelenting, to finally destroy 
them. Active zeroization could be used to assure such process of erasure is complete. 

iv. Physical Attack . 

so [0134] An attacker might try to de-encapsulate a chip in order to reverse engineer it. Simple observation of the chip 
layout can lead one experienced in the art to determine where the Micro Controller 3, I/O Port 1, memory, etc., are 
located. Recognizing the pedigree of a chip. i.e. knowing the manufacturer and the series number and prior chips there- 
from, can also aid in the resolution of functionality. Some structures are laid down randomly; others such as RAM and 
ROM are well-known and normally laid down in regular patterns via chip design macros, meaning that large areas of a 

55 chip need not be reverse engineered. Detailed resolution of the chip layout can result in reverse engineering of a chip, 
a process that might cost as much as $100,000 with today's technology. 

[01 35] Semiconductor industry evaluation tools now provide the capability of making edits to an integrated circuit after 
processing has been completed. For example, Focused Ion Beam Mill technology has advanced to the point where the 
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equipment is capable of selectively removing or depositing material on the surface of an integrated circuit. These 
devices can remove layers of metal and oxide and also lay down layers of metal on the integrated circuit's surface. 
These devices are ostensibly used to debug integrated circuits by cutting metal traces that connect logic gates and by 
reconnecting the logical gates in a different manner. It is feasible to lay down internal probes; however, it is less costly 

5 and less difficult to modify an existing I/O port 

[0136] This kind of attack would first be thwarted by the physical coatings on the SPU, then the Metallization Layer; 
both acting to make difficult the process of ascertaining the chip layout and to actuate a connection of a test probe to 
nodes within the SPU. Such an attack would likely trigger the Metallization Layer Detector 18, the Photo Detector 16, 
and running the altered circuit live under system power VDD 22 would likely trigger the Bus Monitoring Prevention (FIG. 

10 15). The same responses as given above would likely be appropriate as well. The actual act of de-encapsulation 
through grinding can create enough heat to trigger the Temperature Detector 17 as well as set off a vibration detector, 
and again, unless done in total darkness, exposure of the die would set off the Photo Detector 16. Disabling or even 
destroying the keys and secret data seem the most likely responses to such a scenario. 

is v. Combination Attack . 

[0137] Deprocessing is a sophisticated process, requiring first de-encapsulation and then placing the chip, under 
power, on an ion probing station. Such a machine can actually detect voltage potentials at different pans of the chip, 
resolving the operational characteristics thereof. The probe cannot observe through a Metallization Layer; however, this 
so would only serve to slow such a machine down. The machine can also be used to remove the Metallization Layer and 
thus uncover previously secure areas. The attacker might even try to reconnect any broken traces in the Metallization 
Layer before attempting to access secret information. 

[0138] This attack would be slowed by practically every SPU protective feature, trigger practically all the aforemen- 
tioned detectors, and could certainly be frustrated by any of the responses discussed and more. No guarantee of abso- 
25 lute security can ever be made, but as here the SPU. subject to the full range of defenses, would make an attack so 
costly in time and money, as to make the whole attempt pointless for the types of applications contemplated. 

vi. User Fraud . 

30 [0139] The thrust of user fraud is not to reverse engineer the SPU; that is chiefly the province of parties wishing to 
reproduce compatible or competing SPU products. The fraudulent user instead wishes to use products incorporating 
an existing SPU outside of its intended use, e.g.. not paying, or being wholly undercharged, for information used 
through an information metering device, which is a likely fraud scenario. Thus, such a user may try simple operations 
such as trying to rollover the clock, or by resetting the device at various operational stages, a user might hope to inter- 

35 fere with usage reporting or metering. Furthermore, also in the information metering context, by trying to overwrite the 
RAM 8, after a large purchase, with the contents of the same RAM 8. from before the purchase, a user might hope to 
erase the traces of such transaction. 

[0140] The Power Block 13, with its powering up and down mechanisms, the Silicon Firewall 20, and the Software 
Attack Monitor (FIG. 17), give an attacker little opportunity for throwing the SPU into an unpredictable or unreliable state 
40 by inopportune resets, as discussed before. The protection of the ROLLOVER 34 signal and the clock cross-checks 
have also already been well described. 

[0141] In the information metering context, usage might be based on pre-set credit limits, that should the SPU unit 
fail, it would be presumed that the credit limit had completely used, and thus the metering functions would be disabled. 
The user could only overcome this presumption by physically turning over the unit to whatever servicing agent to prove 
45 it had not been tampered with, or by remote interrogation via modem for instance, and thereafter have the servicing 
agent would recertify the SPU device. 

e. Sample SPU Application. 

so [0142] Now that the architecture of the SPU, the nature of the detectors, the detection/filtering/response paradigm of 
PDPS. and the nature of expected attacks have been discussed, it would be useful to proceed through asample appli- 
cation which illustrates the principles of the present invention. For this purpose, a modest application is postulated: the 
use of the SPU-equipped PCMCIA card, an "access card", whose sole function is to provide digital cash. It thus oper- 
ates a simple debit-type card, programmed with a certain amount of money, and debited, through use of a PIN number 

55 in various transactions, until the entire programmed-in credit has been exhausted. 

[0143] The detection/filtering/response process for this access card is as shown in FIG. 20. It is by no means meant 
to be comprehensive, nor necessarily truly realistic, but simply illustrative of the application-specific demands placed 
upon programmable security. References herein may also be made to other figures or particular elements present in 
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FIG. 1. The process starts 1001 by determining whether any detector has been set oft 1002. If not, the process loops 
back to 1 002, preferably performing all the other tasks necessary to the application in the interim. 
[0144] If the Photo Detector 16 is set off 1004, the next inquiry is whether such detection is sustained over a period 
of time 1034. For example, the access card may have been briefly passed through an X-ray machine at the airport. 

5 Such exposure should be very short term. Thus, if the exposure is not sustained, the event should just be logged 1 042 
and the process returns, through connectors 1043, 1003 to step 1002 (all references to connectors will henceforth be 
dispensed with for the sake of clarity). If the exposure is sustained, the next inquiry is whether this detection is in con- 
junction with other detectors going off. This may be the hallmark of many of the attack scenarios discussed earlier. If 
there is sustained photo detection in isolation, it is suspicious enough on its own that a prudent step might be to disable 

10 the access card until it is recertified by an appropriate agent 1 034, and thereafter the process loops back to step 1 002 
until further action is taken. Combined with other detectors going off. however, it might be best to disable the access 
card permanently 1036, and the process would thus end there 1037. 

[0145] If the Temperature Detector 1 7 is set off 1 005, it may then be only necessary to ask whether it occurred in con- 
junction with other detectors going off 1030. This differs from the Photo Detector 17 scenario in that it is more likely that 
is an access card would be subject to high heat for innocuous reasons, as for example, the user leaving the access card 
on the car dashboard all afternoon. Thus, the application would be more forgiving to mere sustained high temperature. 
In that case, the process may simply log the event 1042 and loop back to step 1002. Combined with other detectors 
going off, it may indeed be wise to disable the access card permanently in step 1036. 

[0146] If the Metallization Layer Detector 18 is set off 1 006. it would be hard to justify anything but a harsh policy to 
20 such an event, such as to disable the access card permanently 1036. An exception would be where the Metallization 
Layer Detector 18 were of the LATN cell type (FIG. 13). which is so sensitive that other detectors should be correlated 
to make sure that a serious attack is indeed being made on the access card. 

[0147] H either the ROLLOVER 34 signal or the Clock Integrity Check (FIG. 14(a)) is triggered (steps 1008.1009 
respectively), it may be safe simply to ignore them 1 028 and loop back to step 1 002, as this simply is not a time-sensi- 
25 tive application. 

[0148] If the Power Integrity Check (FIG. 14(b)) is triggered 1010. two situations are possible: (i) the error state; or (ii) 
the low-power state. In the error state, the contents of RAM 8 are no longer trustworthy, which merits that the access 
card be disabled permanently 1036. In the low-power state, the RAM 8 contents are still trustworthy, but the battery 
power may soon fail, which therefore merits a message to the user to the effect that if the credit is not soon transferred 
30 to another access card, it may be irreparably lost 1026. In the latter case, the process would again loop back to step 
1002. 

[0149] If either the Bus Monitor (FIG. 1 5) or Trip Wire Input (FIG. 16) are triggered 1012, there appears little justifica- 
tion to do otherwise than to disable the access card permanently 1 036. 

[0150] If the Software Attack Monitor (FIG. 17) is triggered 1014, a logical first step would be to determine if the 
35 access card is still in the handshaking phase 1016. This would correspond, for example, to the access card being 
inserted into a card reader and various protocols attempted until a proper link is established between the card and the 
card reader. In other words, this "handshaking" process should be excluded from serious security consideration. There- 
after, a particularly important command that the access card should be focused upon is the proper PIN number being 
issued by the user. Thus, the first time an improper command is given within the period of one transaction 1018, the 
40 process may simply log the event 1042. The second time an improper command is received within the period of one 
transaction 1020, the access card may issue a message to the user warning them not to do it again 1024, after which 
the process would again loop back to step 1002. The third time an improper command is received within the period of 
one transaction 1021 , the access card may be disabled until recertif ication by an appropriate agent 1039; otherwise, it 
should be disabled permanently 1036. 
45 [0151] If none of the above detectors is triggered, the process would loop back again to step 1002 to await further 
detected signals. 

[0152] Although the invention has been described in detail with reference to its presently preferred embodiments, it 
will be understood by one of ordinary skill in the art that various modifications can be made, without departing from the 
spirit and the scope of the invention. Accordingly, it is not intended that the invention be limited except as by the 
so appended claims. 

Claims 

1. A secure cryptographic chip for processing and storing sensitive information, including messages received and 
55 generated by the chip and keys used to encrypt and decrypt the messages, and for securing the information 
against potential attacks, the chip comprising: 

(a) a cryptographic engine for performing cryptographic operations on messages using a first key; 
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(b) one or more detectors for detecting events characteristic of an attack; and 

(c) a plurality of potential responses to detected events, whereby sensitive information is unencrypted only on 
the chip, where it is secure from attack. 

5 

2. A chip according to claim 1 and including a programmable filter for correlating detected events with one or more 
operational factors and for selecting and invoking one or more responses based upon the correlation. 

3. A chip according to claim 1 , further comprising a key generator for generating a second key used by the crypto- 
io graphic engine to perform cryptographic operations on the first key. 

4. A secure chip according to claim 1 and further comprising: 

(a) an internal system clock for synchronising functions performed on the chip; and 

15 

(b) an external signal synchroniser for synchronising to the internal system clock all asynchronous external sig- 
nals received by the chip, 

whereby the chip cannot be placed in an unknown state due to the receipt of asynchronous external signals. 

20 

5. A secure chip according to claim 4 wherein the external signal synchronizer synchronises asynchronous external 
signals by accepting and using the signals only at selected times determined by the internal system clock. 

6. A chip according to claim 1 and further comprising: 

25 

(a) an internal bus for transferring information among components of the chip: 

(b) an input/output port for transferring information between internal components of the chip and external 
devices; and 

30 

(c) a bus monitor for periodically comparing the contents of the input/output port before and after the transfer 
of information along the internal bus, 

whereby the chip can detect unauthorised rerouting, to the input/output port, of sensitive information transferred 
35 along the internal bus. 

7. A chip according to claim 6 wherein the bus monitor compares the contents of the input/output port before and 
after: 

40 (a) a firs transfer of less than all of the sensitive information desired to be transferred along the internal bus; 

and 

(b) a second transfer of the remaining sensitive information, if no change in the contents of the input/output port 
is detected following the first transfer, 

45 

whereby the chip can effectively prevent the unauthorised rerouting, to the input/output port, of sensitive informa- 
tion transferred along the internal bus. 

8. A chip according to claim 1 and further comprising: 

so 

(a) a real time clock controlled by an external clock crystal having a substantially consistent external dock cycle 
frequency; 

(b) an internal system clock for synchronising functions performed on the chip, the internal system clock cycle 
55 frequency within a predetermined range of accuracy; and 

(c) a clock integrity checking means for causing the chip to perform a reference operations requiring a prede- 
termined number of internal clock cycles elapsed per actual external clock cycle during the performance of the 
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reference operation, whether the number of elapsed actual external clock cycles lies within the range of 
expected external clock cycles, 

whereby the chip can detect unauthorised tampering with the external clock frequency. 

9. A chip according to claim 1 and further comprising: 

(a) a real time clock controlled by an external clock crystal having a substantially consistent external clock fre- 
quency, the real time clock having a counter for counting the number of elapsed external clock cycles; 

(b) a rollover detector for detecting whether the real time clock counter rolled over; and 

(c) a rollover bit. set upon detecting that the real time clock counter rolled over, 

whereby, if the rolling bit is set during an operation not expected to require a sufficient number of external clock 
cycles to cause the counter to roll over, the chip will detect unauthorised tampering with the external clock fre- 
quency. 

10. A chip according to claim 1 and further comprising: 

(a) a rewritable memory for storing sensitive information; 

(b) a power loss detector for detecting that the loss of both system and battery power is imminent; and 

(c) a VRT bit for indicating the sufficiency of system and battery power following the loading of sensitive infor- 
mation into the rewritable memory, the VRT bit being set upon the loading of the sensitive information into the 
rewritable memory and reset upon the detection of power loss, 

whereby the chip can detect the need to save the sensitive information prior to the actual loss of both system and 
battery power. 

11. A chip according to claim 10 and further comprising a rewritable memory modification detector for detecting modi- 
fication of the rewritable memory, whereby the chip can detect the need to reload the sensitive information into the 
rewritable memory. 

12. A chip according to claim 1 wherein the chip comprises: 

(a) a rewritable memory for storing sensitive information having a substantially constant value; 

(b) a memory inverter for periodically inverting the contents of each cell of the rewritable memory; and 

(c) a memory state bit for indicating whether the contents of each cell of the rewritable memory are in their 
actual state, or in the inverted state, 

whereby the contents of the rewritable memory contain effectively no residual indication of the constant value of the 
sensitive information. 
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